What should developers building on MCP or agent-skill marketplaces do differently right now?

Treat installed skills as untrusted runtime code, not vetted static artifacts. Implement continuous behavioral monitoring rather than relying on install-time scans, isolate agent skills in sandboxed environments with minimal permissions, and audit what post-install update mechanisms each skill exposes. Scan-at-install is a necessary but insufficient gate — it does not cover mutation after deployment.

Why did major security scanners from Cisco and Nvidia fail to catch this attack?

The scanners were not buggy — they did exactly what they were designed to do: evaluate the skill at install time. The attack succeeded because the payload was swapped after installation, a technique the scan-once model has no mechanism to detect. The scanners passed the skill because it was clean when they looked at it.

What is the strongest argument that this attack does not represent a systemic threat?

The counter is that post-install mutation requires the attacker to maintain ongoing access to the skill's update mechanism — a harder operation than a one-time compromise. If skill marketplaces implement cryptographic signing tied to immutable releases, the attack surface narrows considerably. The demonstration proves the current model is vulnerable, not that the vulnerability is unfixable.

AI Agent Trust Model Built to Fail // AIDRAN

Security tooling for AI agent skills is borrowed from the static package world, and the borrowing does not hold. When Cisco, Nvidia, and skills.sh scanners cleared the planted skill , they were doing exactly what they were designed to do — evaluate an artifact at a point in time. The attack worked because the artifact changed after that evaluation. No scanner improvement fixes this; the flaw is in assuming that a one-time check governs ongoing behavior.

For organizations deploying agentic AI at scale, the Vercel AI SDK's unified model interface and similar abstraction layers compound the exposure: the same skill can run across , , , and other backends simultaneously, meaning a mutating payload propagates across the entire fleet rather than a single deployment. The fix is not a better scanner — it is a security architecture that treats installed skills as continuously untrusted runtime code. Every organization that has not made that shift is operating on a cleared certificate for an artifact that may have already changed.

AI Agent Security Has a Trust Model Built to Fail

Why Post-Install Mutation Breaks Every Scanner in the Market

Frequently asked

AI Agent Security Has a Trust Model Built to Fail

Why Post-Install Mutation Breaks Every Scanner in the Market

Frequently asked

More on this wire